Cisco ASA 5515 - Anyconnect users can't ping other Anyconnect users. How can I allow icmp traffic between Anyconnect users?

Similar Messages

• Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN

  Hi Guys,
  I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
  Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
  For some odd reason, I am able to ping the following, with no issues.
  Cisco 3750 SVI (192.168.1.3)
  CentOS web server (connected directly to the Cisco ASA 5505)
  I have checked and enable the following:
  Nat Exemption
  Sysopt connection permit-vpn
  ACL's
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  Added ICMP in the inspection policy
  Packet-capture - Only getting echo requests.
  Thanks in advance!

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

  Hi everyone,
  Hoping someone can help please.
  We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
  We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
  What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
  then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
  Has anyone implemented this before and if so, are there any guides available please?
  Many Thanks,
  Dean.

  Hi Dean,
  Thanks for posting here.
  Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
  Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
  Checklist: Configure NPS for Dial-Up and VPN Access
  http://technet.microsoft.com/en-us/library/cc754114.aspx
  Thanks.
  Tiger Li
  Tiger Li
  TechNet Community Support

• Cisco asa 5515x web user management

  hi all,
  i bought recently a new asa 5515x, i'm also new to it especially if i can have user login to internet before they can use the internet.  my 5515 security license is a plus license.  and also if that user management can be integrated with active directory 2008 r2.
  thanks for any comment you may add.

  The ASA should be able to talk to your AD via either LDAP or Kerberos..
  And yes, you need the CX to perform content filtering on the ASA itself, or you can look at the Ironport appliances or Cloud Web Security (scansafe) fir additional filtering options
  Sent from Cisco Technical Support iPad App

• Cisco ASA 5505 AnyConnect SSL VPN problem

  Hi!
  I have a small network, wiht ASA 5505, 8.4:
  Inside network: 192.168.2.0/24
  Outside: Static IP
  I would like to deploy a SSL AnyConnect setup.
  The state:
  -I give the correct IP from my predefined VPN pool (10.10.10.0/24).
  But, could not reach any resource, could not ping too. My host has given 10.10.10.1 IP, and I had a GW: 10.10.10.2. Where is this GW from?
  Could you help me?
  Here is my config (I omitted my PUBLIC IP, and GW): 
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.4(4)1
  hostname valamiASA
  domain-name valami.local
  enable password OeyyCrIqfUEmzen8 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 12
  interface Vlan1
  description LAN
  no forward interface Vlan12
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  description WAN
  nameif outside
  security-level 0
  ip address MY_STATIC_IP 255.255.255.248
  interface Vlan12
  description Vendegeknek a valamiHotSpot WiFi-hez
  nameif guest
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  management-only
  ftp mode passive
  clock timezone GMT 0
  dns domain-lookup inside
  dns domain-lookup outside
  dns domain-lookup guest
  dns server-group DefaultDNS
  name-server 62.112.192.4
  name-server 195.70.35.66
  domain-name valami.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network inside-net
  subnet 192.168.2.0 255.255.255.0
  object network guest-net
  subnet 192.168.3.0 255.255.255.0
  object network NETWORK_OBJ_192.168.2.128_25
  subnet 192.168.2.128 255.255.255.128
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object icmp
  access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu guest 1500
  ip local pool valami_vpn_pool 10.10.10.1-10.10.10.10 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  object network inside-net
  nat (inside,outside) dynamic interface
  object network guest-net
  nat (guest,outside) dynamic interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  access-group global_access global
  route outside 0.0.0.0 0.0.0.0 MY_STATIC_GW 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa local authentication attempts max-fail 16
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable inside
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_valami_VPN internal
  group-policy GroupPolicy_valami_VPN attributes
  wins-server value 192.168.2.2
  dns-server value 192.168.2.2
  vpn-tunnel-protocol ssl-client
  split-tunnel-policy tunnelall
  default-domain value valami.local
  webvpn
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask enable default anyconnect timeout 30
    customization none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
  username test password P4ttSyrm33SV8TYp encrypted
  tunnel-group valami_VPN type remote-access
  tunnel-group valami_VPN general-attributes
  address-pool valami_vpn_pool
  default-group-policy GroupPolicy_valami_VPN
  tunnel-group valami_VPN webvpn-attributes
  group-alias valami_VPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:d54de340bb6794d90a9ee52c69044753
  : end

  First of all thanks your link.
  I know your notes, but i don't understand 1 thing:
  if i check nat exemption in the anyconnect wizad, why should i make nat exemption rule?
  A tried creating a roule, but it is wrong.
  My steps (on ASDM):
  1: create network object (10.10.10.0/24), named VPN
  2: create nat rule: source any, destination VPN, protocol any
  Here is my config:
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.4(4)1
  hostname companyASA
  domain-name company.local
  enable password OeyyCrIqfUEmzen8 encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  switchport access vlan 12
  interface Vlan1
  description LAN
  no forward interface Vlan12
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  description WAN
  nameif outside
  security-level 0
  ip address 77.111.103.106 255.255.255.248
  interface Vlan12
  description Vendegeknek a companyHotSpot WiFi-hez
  nameif guest
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  ftp mode passive
  clock timezone CEST 1
  clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
  dns domain-lookup inside
  dns domain-lookup outside
  dns domain-lookup guest
  dns server-group DefaultDNS
  name-server 62.112.192.4
  name-server 195.70.35.66
  domain-name company.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network inside-net
  subnet 192.168.2.0 255.255.255.0
  object network guest-net
  subnet 192.168.3.0 255.255.255.0
  object network NETWORK_OBJ_192.168.2.128_25
  subnet 192.168.2.128 255.255.255.128
  object network WEBSHOP
  host 192.168.2.2
  object network INSIDE_HOST
  host 10.100.130.5
  object network VOIP_management
  host 192.168.2.215
  object network Dev_1
  host 192.168.2.2
  object network Dev_2
  host 192.168.2.2
  object network RDP
  host 192.168.2.2
  object network Mediasa
  host 192.168.2.17
  object network VOIP_ePhone
  host 192.168.2.215
  object network NETWORK_OBJ_192.168.4.0_28
  subnet 192.168.4.0 255.255.255.240
  object network NETWORK_OBJ_10.10.10.8_29
  subnet 10.10.10.8 255.255.255.248
  object network VPN
  subnet 10.10.10.0 255.255.255.0
  object network VPN-internet
  subnet 10.10.10.0 255.255.255.0
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object icmp
  access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
  access-list AnyConnect_Client_Local_Print extended deny ip any any
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
  access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
  access-list AnyConnect_Client_Local_Print remark Windows' printing port
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
  access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
  access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
  access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
  access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
  access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
  access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu guest 1500
  ip local pool company_vpn_pool 10.10.10.10-10.10.10.15 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  no asdm history enable
  arp timeout 14400
  nat (any,any) source static any any destination static VPN VPN
  nat (inside,outside) source static inside-net inside-net destination static VPN VPN
  object network inside-net
  nat (inside,outside) dynamic interface
  object network guest-net
  nat (guest,outside) dynamic interface
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  access-group global_access global
  route outside 0.0.0.0 0.0.0.0 77.111.103.105 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  aaa local authentication attempts max-fail 16
  http server enable
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics host
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable inside
  enable outside
  anyconnect-essentials
  anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  anyconnect enable
  tunnel-group-list enable
  group-policy GroupPolicy_company_VPN internal
  group-policy GroupPolicy_company_VPN attributes
  wins-server value 192.168.2.2
  dns-server value 192.168.2.2
  vpn-tunnel-protocol l2tp-ipsec
  split-tunnel-policy tunnelall
  default-domain value company.local
  webvpn
    anyconnect ssl rekey time 30
    anyconnect ssl rekey method ssl
    anyconnect ask enable default anyconnect timeout 30
    customization none
    deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
  group-policy GroupPolicy_VPN internal
  group-policy GroupPolicy_VPN attributes
  wins-server none
  dns-server value 62.112.192.4 195.70.35.66
  vpn-tunnel-protocol ssl-client
  default-domain value company.local
  username test password P4ttSyrm33SV8TYp encrypted
  tunnel-group company_VPN type remote-access
  tunnel-group company_VPN general-attributes
  address-pool company_vpn_pool
  default-group-policy GroupPolicy_company_VPN
  tunnel-group company_VPN webvpn-attributes
  group-alias company_VPN enable
  tunnel-group VPN type remote-access
  tunnel-group VPN general-attributes
  address-pool company_vpn_pool
  default-group-policy GroupPolicy_VPN
  tunnel-group VPN webvpn-attributes
  group-alias VPN enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect icmp error
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:33ee37a3722f228f9be9b84ef43f731e
  : end
  Could you give me a CLI-code?
  (or ASDM steps).

• Cisco ASA 5505 - EasyVPN - ARD can't scan remote Networks

  Hi all,
  We have been installing Cisco ASA5505 to hook our systems and remote offices together.  Our first install went great, and I can scan the remote network no problem, this network is setup using the site to site VPN setup.
  Since then we have added 3 more ASA5505 so the the mix, these are not running via the Site to Site VPN but are rather using the EZVPN.
  On the Remote ASAs using EasyVPN, I cannot scan the networks with ARD or even Ping. 
  I am wondering if anyone has any insights on this?  I know this info is a bit sketchy...
  I will post more as I get it.

  ASAs are the default gw for respective LANs. For the point 2 if i trace the packets i can see that their are blocked
  packet-tracer input inside-g tcp 192.168.1.42 80 192.168.2.31 80
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   192.168.2.0     255.255.255.0   outside
  Phase: 2
  Type: UN-NAT
  Subtype: static
  Result: ALLOW
  Config:
  nat (inside-g,outside) source static obj-LAN-G obj-LAN-G destination static obj-LAN-BO obj-LAN-BO no-proxy-arp route-lookup
  Additional Information:
  NAT divert to egress interface outside
  Untranslate 192.168.2.31/80 to 192.168.2.31/80
  Phase: 3
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
  Result:
  input-interface: inside-g
  input-status: up
  input-line-status: up
  output-interface: outside
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  192.168.1.42 is the ASA1 inside IP address. But i've an explicit ACL that permits ALL traffic from 192.168.1.0/24.
  I've also tried to add an ACL for the specific IP for inside interface but with no results.

• Connectivity Issues Cisco ASA 5515 in Transparent Mode

  Hi,
  we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
  Firewall-Info:
  - ASA Version 9.1(2) 
  - Interfaces gi0/0 + gi0/2 without any interface errors
  The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
  - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
  - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
  - http downloads are stopping, Customer: it will stop responding and the download will fail.
  In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
  I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
  Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
  I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
  Best Regards
  Sebastian

  Hi Vibhor,
  thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
  Is it recommend to configure the default-inspection rule as a default setting? 
  Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
  Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
  ciscoasa# show asp drop
  Frame drop:
    Invalid encapsulation (invalid-encap)                                       10
    First TCP packet not SYN (tcp-not-syn)                                     114
    TCP failed 3 way handshake (tcp-3whs-failed)                                 3
    TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
    Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
    L2 Src/Dst same LAN port (l2_same-lan-port)                                260
    FP L2 rule drop (l2_acl)                                                  2958
    Interface is down (interface-down)                                        9420
    No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
    Dropped pending packets in a closed socket (np-socket-closed)               66
  Thanks
  Sebastian

• Does Cisco ASA 5500 can protect DDos Attack - Sync Flood?

  Dear All,
  Anyone do you know Cisco ASA 5510 or 5520 can protect DDos attack ans sync flood ?
  I have problem on this, so how can i protect on this, some time i saw on my log like this
  "sync flood " or "ddos to xxx.xxx.xxx.xxx" the ip address random .
  Please help me to solve this issue?
  Best Regards,
  Rechard

  Hi Rechard..Those are tcp connection values
  ip inspect max-incomplete high value (default 500)---------------->embryonic connection upper threshold value
  ip inspect max-incomplete low value (default 400)-------------------->embryonic connection lower threshold value
  ip inspect one-minute high value (default 500)------------------------>total connection  in 1 minute, upper threshold
  ip inspect one-minute low value (default 400)--------------------------->total connection in 1 min, lower threshold
  ip inspect tcp max-incomplete host value (default 50) [block-time minutes (default 0)]
  Therefore by implementing IOSFW in your router and tweaking these values you may protect your internal servers from being bombwarded by SYM flood or any DOS flood, keeping in mind if there is a trrue attack then your router will proctect your internal servers however router itself will take a toll on itself, ideally to mitigate an attack the thumb rule is to mitigate by going as close to the source of the attack as possible
  you may also want to read:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd804e5098.html

• High receive discards on Sub-Interfaces in Cisco ASA.

  Hello Everyone,
  Over the past few weeks Solarwinds is reporting high receive discards on two of our subinterfaces created on Cisco ASA. No errors are observed on other subinterfaces. I checked the trunk port interface on the switch for any errors but found none. These errors are visible only under subinterface. What could be the issue?
  Regards

  I have the same problem too.
  I have Cisco ASA 5515  with the next version:
  Cisco Adaptive Security Appliance Software Version 9.1(4)
  My interface configuration is the next:
  PortChannel5 made with    Interface GigabitEthernet 0/2 + Interface GigabitEthernet 0/3
  Subinterfaces in PortChannel5
  Nagios Graphs shows:
  - many input discards in virtual subinterfaces
  - many output discards in interface Gi0/2 and Gi0/3
  - PortChannel5 output discards is the sum of discards in interface Gi0/2 and Gi0/3
  if I run the snmpwalk command against the ASA the following results were obtained:
  Interface description
  [user@FIREWALL01 ~]$ snmpwalk -v 2c -c XXXXXXX 10.255.16.1 | grep ifDescr
  IF-MIB::ifDescr.2 = STRING: Adaptive Security Appliance 'asa_mgmt_plane' interface
  IF-MIB::ifDescr.3 = STRING: Adaptive Security Appliance 'Internet' interface
  IF-MIB::ifDescr.4 = STRING: Adaptive Security Appliance 'LAN_MPLS' interface
  IF-MIB::ifDescr.5 = STRING: Adaptive Security Appliance 'GigabitEthernet0/2' interface
  IF-MIB::ifDescr.6 = STRING: Adaptive Security Appliance 'GigabitEthernet0/3' interface
  IF-MIB::ifDescr.7 = STRING: Adaptive Security Appliance 'stateifha' interface
  IF-MIB::ifDescr.8 = STRING: Adaptive Security Appliance 'statelink' interface
  IF-MIB::ifDescr.9 = STRING: Adaptive Security Appliance 'Internal-Data0/1' interface
  IF-MIB::ifDescr.10 = STRING: Adaptive Security Appliance 'cplane' interface
  IF-MIB::ifDescr.11 = STRING: Adaptive Security Appliance 'mgmt_plane_int_tap' interface
  IF-MIB::ifDescr.12 = STRING: Adaptive Security Appliance 'management' interface
  IF-MIB::ifDescr.13 = STRING: Adaptive Security Appliance 'Virtual254' interface
  IF-MIB::ifDescr.14 = STRING: Adaptive Security Appliance 'Port-channel5' interface
  IF-MIB::ifDescr.15 = STRING: Adaptive Security Appliance 'VLAN_USGLB_OOB' interface
  IF-MIB::ifDescr.16 = STRING: Adaptive Security Appliance 'VLAN_USGLBHSTHYP_MGNT' interface
  IF-MIB::ifDescr.17 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_OM' interface
  IF-MIB::ifDescr.18 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_MGNTOM' interface
  IF-MIB::ifDescr.19 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_MGNT' interface
  IF-MIB::ifDescr.20 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_SRVF' interface
  IF-MIB::ifDescr.21 = STRING: Adaptive Security Appliance 'VLAN_USGLBVRM_SRVB' interface
  IF-MIB::ifDescr.22 = STRING: Adaptive Security Appliance 'VLAN_USGLB_DMZ' interface
  Input discards
  [user@FIREWALL01 ~]$ snmpwalk -v 2c -c xxxxxxxxxx 10.255.16.1 | grep ifInDiscards
  IF-MIB::ifInDiscards.2 = Counter32: 0
  IF-MIB::ifInDiscards.3 = Counter32: 0
  IF-MIB::ifInDiscards.4 = Counter32: 0
  IF-MIB::ifInDiscards.5 = Counter32: 0
  IF-MIB::ifInDiscards.6 = Counter32: 0
  IF-MIB::ifInDiscards.7 = Counter32: 0
  IF-MIB::ifInDiscards.8 = Counter32: 0
  IF-MIB::ifInDiscards.9 = Counter32: 0
  IF-MIB::ifInDiscards.10 = Counter32: 0
  IF-MIB::ifInDiscards.11 = Counter32: 0
  IF-MIB::ifInDiscards.12 = Counter32: 0
  IF-MIB::ifInDiscards.13 = Counter32: 0
  IF-MIB::ifInDiscards.14 = Counter32: 0
  IF-MIB::ifInDiscards.15 = Counter32: 12481926
  IF-MIB::ifInDiscards.16 = Counter32: 9927941
  IF-MIB::ifInDiscards.17 = Counter32: 134120211
  IF-MIB::ifInDiscards.18 = Counter32: 124695686
  IF-MIB::ifInDiscards.19 = Counter32: 27081148
  IF-MIB::ifInDiscards.20 = Counter32: 2941537222
  IF-MIB::ifInDiscards.21 = Counter32: 32714719
  IF-MIB::ifInDiscards.22 = Counter32: 4008856
  Output discards
  [user@FIREWALL01 ~]$ snmpwalk -v 2c -c xxxxxxxxxxxx 10.255.16.1 | grep ifOutDiscards
  IF-MIB::ifOutDiscards.2 = Counter32: 0
  IF-MIB::ifOutDiscards.3 = Counter32: 0
  IF-MIB::ifOutDiscards.4 = Counter32: 0
  IF-MIB::ifOutDiscards.5 = Counter32: 3635696
  IF-MIB::ifOutDiscards.6 = Counter32: 119099
  IF-MIB::ifOutDiscards.7 = Counter32: 0
  IF-MIB::ifOutDiscards.8 = Counter32: 0
  IF-MIB::ifOutDiscards.9 = Counter32: 0
  IF-MIB::ifOutDiscards.10 = Counter32: 0
  IF-MIB::ifOutDiscards.11 = Counter32: 0
  IF-MIB::ifOutDiscards.12 = Counter32: 0
  IF-MIB::ifOutDiscards.13 = Counter32: 0
  IF-MIB::ifOutDiscards.14 = Counter32: 3754795
  IF-MIB::ifOutDiscards.15 = Counter32: 0
  IF-MIB::ifOutDiscards.16 = Counter32: 0
  IF-MIB::ifOutDiscards.17 = Counter32: 0
  IF-MIB::ifOutDiscards.18 = Counter32: 0
  IF-MIB::ifOutDiscards.19 = Counter32: 0
  IF-MIB::ifOutDiscards.20 = Counter32: 0
  IF-MIB::ifOutDiscards.21 = Counter32: 0
  IF-MIB::ifOutDiscards.22 = Counter32: 0
  Output discards may be normals, but I don't understand input discards in virtual subinterfaces of PortChannel5
  By the other hand, show interface command in subinterfaces don't show error or discards packets
  FIREWALL01/pri/act#    sh interface VLAN_USGLBVRM_SRVB detail 
  Interface Port-channel5.1020 "VLAN_USGLBVRM_SRVB", is up, line protocol is up
    Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
          VLAN identifier 1020
          Description: VLAN_USGLBVRM_SRVB
          MAC address 6073.5c69.0917, MTU 1500
          IP address 10.255.19.65, subnet mask 255.255.255.192
    Traffic Statistics for "VLAN_USGLBVRM_SRVB":
          42067433644 packets input, 45125599467459 bytes
          28153119062 packets output, 8866514693262 bytes
          32715765 packets dropped
    Control Point Interface States:
          Interface number is 21
          Interface config status is active
          Interface state is active
    Control Point Vlan1020 States:
          Interface vlan config status is active
          Interface vlan state is UP
  FIREWALL01/pri/act#    sh interface VLAN_USGLBVRM_SRVF detail 
  Interface Port-channel5.1019 "VLAN_USGLBVRM_SRVF", is up, line protocol is up
    Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
          VLAN identifier 1019
          Description: VLAN_USGLBVRM_SRVF
          MAC address 6073.5c69.0917, MTU 1500
          IP address 10.255.19.1, subnet mask 255.255.255.192
    Traffic Statistics for "VLAN_USGLBVRM_SRVF":
          30475814698 packets input, 14615432248013 bytes
          27472348465 packets output, 20872697455933 bytes
          2941588838 packets dropped
    Control Point Interface States:
          Interface number is 20
          Interface config status is active
          Interface state is active
    Control Point Vlan1019 States:
          Interface vlan config status is active
          Interface vlan state is UP
  FIREWALL01/pri/act#
  Can anyone explain why so many input errors appear in the subinterfaces?
  Thanks in advance!

• Cisco ASA 5505 configuration

  Hi,
  I have configured cisco ASA 5505 but I can't get access to internet using my laptop connected to the ASA. I did not use the console but the graphical interface for the configuration. I changed the inside adress of the ASA and it is 192.168.2.1. From the inside I can't ping the material in outside and from outside I can't ping the laptop connected to the ASA.
  Here is my configuration:
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.2(5)
  hostname xxxxxxxxxxxxxxxxx
  domain-name xxxxxxxxxxxxxxxxxxx
  enable password xxxxxxxxxxxxxx encrypted
  passwd xxxxxxxxxxxxxxxxxxxx encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 192.168.1.48 255.255.255.0
  ftp mode passive
  dns server-group DefaultDNS
  domain-name processia.com
  access-list outside_access_in extended permit ip any any
  access-list icmp_out_in extended permit icmp any any
  access-list inside_access_in extended permit ip any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ipv6 access-list outside_access_ipv6_in permit ip any any
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group icmp_out_in in interface outside
  access-group outside_access_ipv6_in in interface outside
  route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.2.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 192.168.2.2-192.168.2.129 inside
  dhcpd dns 80.10.246.2 80.10.246.129 interface inside
  dhcpd ping_timeout 5000 interface inside
  dhcpd domain xxxxxxxxxxxxxxxxx interface inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  policy-map global_policy
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:7e6f35db321b722ca60009b0c0dc706e
  : end
  Thank you for your help

  Hi Sylla,
  The static route you have configured for Internet access needs to be corrected:
  route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
  The next hop address should be your ISP's gateway IP address and not the ASA's outside interface IP. Currently, both are configured for 192.168.1.48.
  -Mike

• Cisco asa security context active/active failover

  Hi,                  
  I have two Cisco ASA 5515-X appliance running OS version 8.6. I want to configure these two appliance in multiple context mode mode.
  Each ASA appliance will have two security context named "ctx1" & "ctx2".
  I have to configure failover on these two ASA appliance such that "ctx1" will be active in one ASA box and "ctx2" will be active and process the traffic on second box to achieve this i will configure two failover group 1 & 2. And assign "ctx1" interfaces in failover group 1 and "ctx2" interface to group 2.
  I am a reading a book on failover configuration in active/active in that below note is mentioned.
  If an interface is used as the shared interface between multiple contexts, then all of those contexts need to be in the same failover redundancy group.
  What this means? can someone please explain because i also want to use a shared interface which will be used by "ctx1" & "ctx2". In this case shared interface can be used in failover group 1 & 2 ?
  Regards,
  Nick

  Yout will have to contact [email protected] or open a TAC case in order to have a new activation key generated. They can do that once they confirm your eligibility.

• Cisco ASA - Web Server Publishing

  My requirement is I need to publish 2 Web Servers to internet behind Cisco ASA.
  The users will be using secure https acccess to the Web Server.
  I have only 1 Public IP Address assigned to access both the Web Servers.
  Wanted to know what are the things required in the Cisco ASA firewall.
  1. What type of licenses ?
  2. What type of certificates ?
  3. How can i use a single Public IP to access to both the Web servers. Does the Cisco ASA supports this.
  I dont want any client software on the end users PC.....

  ThanksI do have 2 Public IP address for my 2 servers.That is clear.
  I thought you said you just have 1 Public IP in your first post. Anyways, if you do have 2 Public IPs for each server, then use Static NAT instead of PAT. Use the same commands but without the port information.
  Prior 8.3:
  static (inside,outside) public_ip1 web_server1 
  static (inside,outside) public_ip2 web_server2
  8.3 or later:
  object network web_server1_real
  host web_server1
  nat (inside,outside) static public_ip1
  object network web_server2_real
  host web_server2
  nat (inside,outside) static public_ip2
  Because Application1 will be published to the web server and the web server will be published to internet, the web server is the one to be published through ASA. I am not sure how you use Application1 and how you will publish it to the web server internally so this is out of the scope of my help.
  About Application2's security, the question is, how do you want to achieve security for App2? We have several types of security. Having the ASA infront of Application2, using NAT and using ACLs, this will achieve Access Control. However, if you want to achieve data encryption between internet clients and App2, then you have to consider PKI (or certificates) to achieve this. You also can consider IPsec remote access vpn for the App2 server. It all depends on what security flavor do you like.
  Regards,
  AM

• Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)

  OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
  What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch? 
  Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
  When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
  Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
  The ASA is connected to a checkpoint sub interface
  Any help would be beneficial as im new to cisco ASAs 
  Thanks
  Mark

  Mark
  If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
  HTH
  Rick

• Introduction of Cisco ASA into Environment

  Hey, 
  I have just introduced a Cisco ASA into my environment but having major issues working out how to fit it in.  I have tried to configure it as per the proposed solution but not really working
  Currently
  2960 trunk port to >1921 (10.10.1-11.1) (for inter-vlan routing)
  2960 has an 
  access port (vlan 101) to > 887va (10.10.1.2) > ISP
  Proposed
  2960 trunk port to >1921 (10.10.1-11.1) (for inter-vlan routing)
  2960 has an
  access port (vlan 101) to > ASA 5505 (10.10.1.3 (vlan 101) outside/10.10.2.2 (vlan 102) inside) (for packet inspection)
  2960 has an
  access port 101 > 887va (10.10.1.2) > ISP
  essentially, all 3 devices are connected independently to the switch
  In an attempt to get this to work, I changed the default route on the 1921 to the ASA and the ASA's default route to the 887 but when trace routing, it seems to bypass the  ASA altogether...however, when doing this, it does appear that the ASA is doing something as the ip any any ACL on ASA received a number of hits
  I have the following vlans - 
  vlan 101 (10.10.1.0), 102 (10.10.2.0), 105, 106, 107, 108, 109, 110, 111
  i'm running OSPF on all devices - 1921 advertises all vlan interfaces, the 887 advertises 10.10.1.0 and the ASA also advertises 10.10.1.0
  neighbours are forming and routes are exchanged ok.
  Natting on the 887
  Your thoughts and ideas would be grateful; I'm obviously going wrong somewhere
  Many thanks
  Jay

  Hi Jon, 
  Thanks for your prompt response, it is very much appreciated
  it's not a typo i'm afraid although i think i see your point.  My thinking here is/was that i wanted separation between the 'internal' and 'external' elements of my network and creating an inside and outside zone would do this. 10.10.1 would be the 'outside' and all other vlans would be the inside.  (I was halfway though zoning off my 887 before the introduction of the ASA and thought i could apply the same principles here.)
  You are correct re "I am assuming you want traffic from the 1921 to go through the ASA to the 887 ?" and therefore, could you explain why to your comment - "if so you cannot have the outside interface in the same subnet as the 1921 WAN interface"  What is the outside interface on the ASA for then?
  Also, could you confirm why to this one too please? - 
  "If you are running OSPF and the 887 is in the same subnet as the 1921 then it will simply bypass the ASA for return traffic." i'm assuming because the of the routing table pointing to the 1921 and not the ASA? (just clarifying)
  Finally, i'm using a default route for internet access.  i used the default-info originate command on the 887 coinnected to my ISP previously to redistribute the default route to the 1921 but removed that when testing the ASA as i wanted to manually manipulate traffic flow
  Excuse the questions
  Many thanks again
  Jay

• Cisco ASA IPsec encrypt selective traffic between peers

  Hello i have aproximately this topology:
  192.168.13.0/24  ----> ASA1 (Public IP 10.1.1.2) ---> ISP1 <----> ISP2 --->ASA2 (Public IP 10.1.2.2) ---->192.168.4.0/24
  Both ASA are 55xx
  I've setup IPsec site-to-site vpn between these two ASA and now the net 192.168.13.0/24 is able to access the net 192.168.4.0 and vice versa.
  Now, I want to access the ASA2 with via SNMP from 192.168.13.0 but it seems that ISP1 or ISP2 blocks UDP port 161 ...
  Now my question:
  can I encrypt the traffic between 192.168.13.0/24 and 10.1.2.2 ?
  I tried to add NAT and VPN ACL an entries like this:
  ASA1:
  permit from net 192.168.13.0/24 to host 10.1.2.2
  no nat from net 192.168.13.0/24 to host 10.1.2.2
  ASA2:
  permit from host 10.1.2.2 to net 192.168.13.0/24
  After this setup I watch in ASDM / monitoring / VPN Session Details:
  ASA1
  Local Addr: 192.168.13.0/24
  RemoteAddr: 10.1.2.2
  Bytes TX: 46036
  Bytes RX: 0
  ASA2
  Local Addr: 10.1.2.2
  RemoteAddr: 192.168.13.0/24
  Bytes TX: 0
  Bytes RX: 45144
  From log debugging I watch that the ICMP and SNMP packets from 192.168.13.0/24 arive to 10.1.2.2, but it seems that ASA2 doesn't repply... Any idea ?
  ASA2 config:
  route ISP2 192.168.13.0 255.255.255.0 10.1.1.2
  crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
  access-list ISP2_cryptomap line 1 extended permit ip 192.168.4.0 255.255.255.0 192.168.13.0 255.255.255.0
  access-list ISP2_cryptomap line 1 extended permit ip host 10.1.2.2 192.168.13.0 255.255.255.0
  crypto map ISP2_map4 1 match address ISP2_cryptomap
  crypto map ISP2_map4 1 set peer 10.1.1.2
  crypto map ISP2_map4 1 set ikev1 transform-set FirstSet
  crypto map ISP2_map4 1 set security-association lifetime seconds 86400
  crypto map ISP2_map4 interface ISP2
  crypto ikev1 enable ISP2
  crypto ikev1 am-disable
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group 10.1.1.2 type ipsec-l2l
  tunnel-group 10.1.1.2 ipsec-attributes
  ikev1 pre-shared-key *****
  ASA1 Config:
  route ISP1 10.1.2.2 255.255.255.255 10.1.1.1
  access-list ISP1_cryptomap line 1 extended permit ip 192.168.13.0 255.255.255.0 192.168.4.0 255.255.255.0
  access-list ISP1_cryptomap line 1 extended permit ip 192.168.13.0 255.255.255.0 host 5.56.103.111
  crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
  crypto map ISP1_map4 1 match address ISP1_cryptomap
  crypto map ISP1_map4 1 set peer 10.1.2.2
  crypto map ISP1_map4 1 set ikev1 transform-set FirstSet
  crypto map ISP1_map4 1 set security-association lifetime seconds 86400
  crypto map ISP1_map4 interface ISP1
  crypto ikev1 enable ISP1
  crypto ikev1 am-disable
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group 10.1.2.2 type ipsec-l2l
  tunnel-group 10.1.2.2 ipsec-attributes
  ikev1 pre-shared-key *****

  LAN behind ASA is 192.168.50.0/24, but i need have comunication between 
  192.168.211.0/24 and 192.168.212.0/24
  I have ACL in both direction because i need initialize connection from both sides:
  192.168.211.0/24 <-> 192.168.212.0/24
  i have both acl becasue i have two peers:
  crypto map SDM_CMAP_1 211 match address test-p1-p2
  crypto map SDM_CMAP_1 211 set peer 8.8.8.8
  crypto map SDM_CMAP_1 212 match address test-p2-p1
  crypto map SDM_CMAP_1 212 set peer 8.8.4.4
  i removed :
  route outside 192.168.211.0 255.255.255.0 194.146.123.1 1
  but it didn't help
  packet-tracer input outside icmp 192.168.211.1 0 3 192.168.212.1
  Phase: 8
  Type: VPN
  Subtype: encrypt
  Result: DROP
  Config:
  Additional Information:
  Forward Flow based lookup yields rule:
  out id=0xd83fd240, priority=70, domain=encrypt, deny=false
          hits=81, user_data=0x0, cs_id=0xd7b688c8, reverse, flags=0x0, protocol=0
          src ip=192.168.211.0, mask=255.255.255.0, port=0
          dst ip=192.168.212.0, mask=255.255.255.0, port=0, dscp=0x0